Total
3419 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-9517 | 12 Apache, Apple, Canonical and 9 more | 28 Http Server, Traffic Server, Mac Os X and 25 more | 2025-01-14 | 7.5 High |
| Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. | ||||
| CVE-2019-9511 | 12 Apache, Apple, Canonical and 9 more | 29 Traffic Server, Mac Os X, Swiftnio and 26 more | 2025-01-14 | 7.5 High |
| Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | ||||
| CVE-2023-30570 | 2 Libreswan, Redhat | 7 Libreswan, Enterprise Linux, Openshift and 4 more | 2025-01-14 | 7.5 High |
| pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. The earliest affected version is 3.28. | ||||
| CVE-2023-29735 | 1 Mwm | 1 Edjing Mix | 2025-01-14 | 5.5 Medium |
| An issue found in edjing Mix v.7.09.01 for Android allows a local attacker to cause a denial of service via the database files. | ||||
| CVE-2023-29544 | 1 Mozilla | 2 Firefox, Focus | 2025-01-10 | 6.5 Medium |
| If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. | ||||
| CVE-2023-0616 | 2 Mozilla, Redhat | 6 Thunderbird, Enterprise Linux, Rhel Aus and 3 more | 2025-01-10 | 6.5 Medium |
| If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this structure to attempt a DoS attack. This vulnerability affects Thunderbird < 102.8. | ||||
| CVE-2024-24988 | 1 Mattermost | 1 Mattermost Server | 2025-01-10 | 4.3 Medium |
| Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server. | ||||
| CVE-2024-32476 | 1 Argoproj | 1 Argo Cd | 2025-01-09 | 6.5 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16. | ||||
| CVE-2024-40634 | 2 Argoproj, Redhat | 3 Argo-cd, Argo Cd, Openshift Gitops | 2025-01-09 | 7.5 High |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20. | ||||
| CVE-2024-29893 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-01-09 | 6.5 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12. | ||||
| CVE-2024-42426 | 1 Dell | 1 Powerscale Onefs | 2025-01-08 | 4.3 Medium |
| Dell PowerScale OneFS Versions 9.5.0.x through 9.8.0.x contain an uncontrolled resource consumption vulnerability. A low privilege remote attacker could potentially exploit this vulnerability, leading to denial of service. | ||||
| CVE-2020-7755 | 1 Dat.gui Project | 1 Dat.gui | 2025-01-07 | 7.5 High |
| All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values. | ||||
| CVE-2024-9358 | 1 Thingsboard | 1 Thingsboard | 2025-01-07 | 5.3 Medium |
| A vulnerability has been found in ThingsBoard up to 3.7.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component HTTP RPC API. The manipulation leads to resource consumption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.7.1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed on 2024-07-24 about this vulnerability and announced the release of 3.7.1 for the second half of September 2024. | ||||
| CVE-2023-24535 | 1 Protobuf | 1 Protobuf | 2025-01-06 | 7.5 High |
| Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic. | ||||
| CVE-2023-34109 | 1 Zxcvbn-ts Project | 1 Zxcvbn-ts | 2025-01-06 | 6.5 Medium |
| zxcvbn-ts is an open source password strength estimator written in typescript. This vulnerability affects users running on the nodeJS platform which are using the second argument of the zxcvbn function. It can result in an unbounded resource consumption as the user inputs array is extended with every function call. Browsers are impacted, too but a single user need to do a lot of input changes so that it affects the browser, while the node process gets the inputs of every user of a platform and can be killed that way. This problem has been patched in version 3.0.2. Users are advised to upgrade. Users unable to upgrade should stop using the second argument of the zxcvbn function and use the zxcvbnOptions.setOptions function. | ||||
| CVE-2023-29767 | 1 Appcrossx | 1 Crossx | 2025-01-06 | 5.5 Medium |
| An issue found in CrossX v.1.15.3 for Android allows a local attacker to cause a persistent denial of service via the database files. | ||||
| CVE-2023-35053 | 1 Jetbrains | 1 Youtrack | 2025-01-03 | 7.5 High |
| In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms | ||||
| CVE-2024-1014 | 1 Se-elektronic | 2 E-ddc3.3, E-ddc3.3 Firmware | 2025-01-03 | 6.2 Medium |
| Uncontrolled resource consumption vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could interrupt the availability of the administration panel by sending multiple ICMP packets. | ||||
| CVE-2024-39895 | 1 Monospace | 1 Directus | 2025-01-03 | 6.5 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users. Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard. By modifying the data sent and duplicating many times the fields a DoS attack is possible. This vulnerability is fixed in 10.12.0. | ||||
| CVE-2023-34623 | 1 Jtidy Project | 1 Jtidy | 2025-01-03 | 7.5 High |
| An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. | ||||